User's Login




 


 Log in Problems?
 New User? Sign Up!

Main Menu

Resources

Feeds
As Featured On News Now




Who's Online
There are 35 unlogged users and 1 registered user online.

You can log-in or register for a user account here.
FAQ FAQ  •  Search Search  •  Register Register  •  Log in to check your private messages Log in to check your private messages
Log in Log in
5861 IPSec VPN
Forum Index » Technical » Security
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
bontempiOffline
Post subject: 5861 IPSec VPN  PostPosted: Jun 18, 2005 - 06:11 PM
Bug Member


Joined: Oct 08, 2004
Posts: 34
Location: Bromley
Status: Offline
I'm trying to setup a 5861 so that it can accept IPSec VPN connections from mobile clients. I'm pretty confident I've setup both the 5861 and client correctly however the 5861 just doesn't seem to be responding in any way shape or form (e.g. either positively or negatively) to the client's phase 1 negotiation requests.

I'm using a Watchguard badged version of SafeNet's SoftRemote on the client so its possible that I need a different client although I don't really see why as it has all the IPSec options I need. Any thoughts on this? I was thinking of buying the VPN client sold by The Greenbow as it specifically supports the 5861 but I'm loathed to buy it only to find out something else was the issue.

Secondly, I was wondering if there is a way of checking whether the 5861 is receiving the negotiation requests of the client and what it is doing with them? The system log doesn't show anything relating to this.

Finally, is it possible that the IPSec connection is being blocked by either the stateful or ipfilter firewall? I would have thought this would only be an issue if I was trying to terminate the VPN on an appliance behind the 5861. I did try turning off the stateful firewall just in case but it didn't make a difference.

Cheers.

Graeme
 
 View user's profile Send private message Visit poster's website MSN Messenger  
Reply with quote Back to top
okitismineOffline
Post subject: RE: 5861 IPSec VPN  PostPosted: Jun 23, 2005 - 03:45 AM
Starting Bug


Joined: Apr 11, 2004
Posts: 16

Status: Offline
The VPN must be aggressive, you need to allow udp 500 and protocol 50 in the firewall scripts. What firewall scripts do you use?
If the firewall is dropping packets then it will show in the logs, if watch is on.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
bontempiOffline
Post subject: RE: 5861 IPSec VPN  PostPosted: Jun 30, 2005 - 07:01 PM
Bug Member


Joined: Oct 08, 2004
Posts: 34
Location: Bromley
Status: Offline
VPN is aggressive mode. Ports 500, 50 and 51 have been allowed through the remote ipfilter firewall automatically.

I can see that the stateful firewall is dropping the request so I at least know its reaching my router. I've tried switching the stateful firewall off for debugging purposes but the client is still not receiving a response from my router.

I've tried watching for dropped packets from the remote ipfilter firewall and I'm not seeing any being dropped. In any case, the only entries in the remote ipfilter firewall are those that have been put there by the IPSec commands.

One thing I'm not sure about is the destination IP address (i.e. of the remote client). From what I understand this should be set to a reserved IP address that isn't in the same IP range as either the LAN behind my router or the client's private IP. In this case my LAN is 192.168.0.0 and client is 192.168.111.?. So I set the destination IP address to 192.168.1.1. Is that correct? I noticed that this caused rules to be added to the remote ipfilter list which drop packets from 192.168.1.1 on the input and output chains.
 
 View user's profile Send private message Visit poster's website MSN Messenger  
Reply with quote Back to top
bontempiOffline
Post subject: RE: 5861 IPSec VPN  PostPosted: Jul 02, 2005 - 11:28 AM
Bug Member


Joined: Oct 08, 2004
Posts: 34
Location: Bromley
Status: Offline
I'm really getting to my wits end with this. Here is the complete setup in case anyone can help:

Corporate LAN (192.168.0.0/24)
Efficient Router
LAN: 192.168.0.1 (performs NAT for LAN)
WAN: X.X.X.X (static ip)
^
|
Linksys WRT54GS
WAN: ?.?.?.? (dynamic ip)
LAN: 192.168.1.1 (performs NAT&DHCP for LAN)
Home LAN (192.168.1.0/24)

Note: Only the PC with the VPN client needs access to the corporate LAN. This isn't branch-branch VPN.

The problem is that the first IKE negotation message is being sent to the Efficient gateway but no response is received (either positive or negative). When I have the stateful firewall turned on on the Efficient unit I can see the first request coming in on port 500 from the Linksys' dynamic IP and being blocked. So I turned off the stateful firewall for debugging purposes but still don't get any further.

Efficient setup:

Peers:
Gateway: 0.0.0.0
Secret: *secret*
Mode: agressive
Local ID: mydomain.com
Peer ID: an@email.com

IKE Proposals:
Message Auth: SHA-1
Session Auth: Preshared keys
Phase 1 encryption: 3-DES
Diffie-Hellman Group: 2

IKE IPSec Proposals:
AH: None
ESP Auth: SHA-1
ESP Encryption: DES-CBC
Compression: none

IKE IPSec Policies:
Source: 192.168.0.0/24
Destination: 192.168.1.100/32

TheGreenBow VPN Client setup:

Phase 1:
Interface: *
Remote Address: X.X.X.X
Preshared key: *secret*
IKE Encryption: 3DES
IKE Auth: SHA
IKE Key Group: DH1024
Mode: Agressive
NAT Port: *blank*
Local ID: an@email.com

Phase 2:
Local address: 192.168.1.100/32
Network: 192.168.0.0/24
ESP Encryption: DES
ESP Auth: SHA
ESP Mode: Tunnel
PFS: Off

There is no evidence in the Efficient system log that it is attempting to start an IKE negotiation.

The Linksys at the client side has IPSec VPN passthru enabled.

The VPN setup on the Efficient automatically created the following IP Filter commands which are the only ip filter commands I'm using:

# Begin rules for input list
remote ipfilter flush input internet
remote ipfilter insert 0 input accept -c 18 -p udp -sp 500 -da X.X.X.X -d
p 500 (IKE Global Filter) internet
remote ipfilter insert 1 input accept -c 0 -p 51 -da X.X.X.X (IKE Global
Filter) internet
remote ipfilter insert 2 input accept -c 0 -p 50 -da X.X.X.X (IKE Global
Filter) internet
remote ipfilter insert 3 input drop -c 0 -sa 192.168.1.100 -da 192.168.0.0:192.168.0.255 (sa_rx2) internet
# End rules for input list

# Begin rules for receive list
remote ipfilter flush receive internet
remote ipfilter insert 0 receive inipsec -c 0 -p 50 -sa 0.0.0.0 -da X.X.X.X -ipsec sa_rx1 internet
remote ipfilter insert 1 receive inipsec -c 0 -p 50 -sa 0.0.0.0 -da X.X.X.X -ipsec sa_rx2 internet
# End rules for receive list

# Begin rules for transmit list
remote ipfilter flush transmit internet
remote ipfilter insert 0 transmit accept -c 0 -p udp -sa X.X.X.X -sp 500
-dp 500 (IKE Global Filter) internet
remote ipfilter insert 1 transmit accept -c 0 -p 50 -sa X.X.X.X (IKE Glob
al Filter) internet
remote ipfilter insert 2 transmit accept -c 0 -p 51 -sa X.X.X.X (IKE Global Filter) internet
remote ipfilter insert 3 transmit outipsec -c 1 -sa 192.168.0.0:192.168.0.255 -d
a 192.168.1.100 -ipsec sa_tx internet
# End rules for transmit list

# Begin rules for output list
remote ipfilter flush output internet
remote ipfilter insert 0 output accept -c 0 -p udp -sa X.X.X.X -sp 500 -d
p 500 (IKE Global Filter) internet
remote ipfilter insert 1 output accept -c 0 -p 50 -sa X.X.X.X -da 0.0.0.0
(sa_rx2) internet
remote ipfilter insert 2 output drop -c 0 -sa 192.168.0.0:192.168.0.255 -da 192.
168.1.100 (sa_rx2) internet
# End rules for output list

I've tried turning on 'watch' for the remote ipfilters and the syslog doesn't report anything being dropped.
 
 View user's profile Send private message Visit poster's website MSN Messenger  
Reply with quote Back to top
bontempiOffline
Post subject: RE: 5861 IPSec VPN  PostPosted: Jul 09, 2005 - 08:58 PM
Bug Member


Joined: Oct 08, 2004
Posts: 34
Location: Bromley
Status: Offline
Still haven't resolved the problem. Turned on verbose mode for all the ipfilter statements and I could see the IKE packet coming in on port 500 and being accepted. So I know that it isn't being dropped by either the stateful or ipfilter firewall. But since there is nothing in the syslog to suggest it was recognising it had to start IKE negotation I can only assume that the VPN facility isn't working on this router. I noticed that ipsec as well as all the other options don't have a ~ in front of them when I type the "version" command but I assume this is because all these options are turned on by default on the rapid secure models.

Has anyone actually seen the IPSec VPN facility working on a 5861?

I think I'm just going to have to buy a new router as I've wasted so much time on this Sad
 
 View user's profile Send private message Visit poster's website MSN Messenger  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
  Forum Index » Technical »  Security
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits
Compare Broadband
Need broadband? Ready to switch?
Broadband comparison & guides

Broadband Comparison

50+ Broadband Offers.
Deals From £4.50.

Compare Broadband » Top 10 Broadband

Compare Cheap Broadband Providers

THE Price Comparison Site
 

Broadband UK

Find the cheapest, fastest broadband where you live

Other Stories